Since its adoption in April 2016, the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) has been a hot topic, particularly because of its broad scope and the heavy fines for contravening it. Nearly two months after coming into force, and despite the numerous articles written about it, the GDPR is unfortunately still poorly understood and has given rise to many questions. It is shrouded with many persistent myths (five of which will be dealt with below) that must be dispelled to allow Canadian enterprises and organizations that may be subject to it to set about complying with it.
1. The GDPR only applies to Canadian enterprises that have an establishment in Europe
The GDPR applies to the processing of personal data in the context of the activities of data controllers or processors within the territory of the EU. To the extent that a Canadian business has an establishment in the EU, the GDPR thus applies to its data processing activities in connection with this establishment.
However, the GDPR also applies to the processing of personal data by controllers or processors outside of the EU in connection with:
- offering goods or services to persons (referred to as “data subjects”) in the EU, whether or not a payment is involved; and
- monitoring the behaviour of such data subjects, insofar as that behaviour takes place within the EU.
Thus, a Canadian enterprise with no establishment in the EU may be subject to the GDPR to the extent any data processing it does meets the criteria for the extraterritorial application of the GDPR.
In addition to these instances of direct application of the GDPR, any Canadian enterprise serving clients who are subject to it, or who themselves serve enterprises subject thereto in connection with activities within the EU, should anticipate that compliance with the GDPR will become a contractual requirement.
2. Since Canada is covered by an adequacy decision of the European Commission, Canadian enterprises in compliance with Canadian data protection legislation are in compliance with the GDPR
Since 2001, the Personal Information and Electronic Documents Act (“PIPEDA”) has given Canada the benefit of an adequacy decision by the European Commission. This decision is an acknowledgement by the Commission that PIPEDA affords an adequate level of personal data protection. Thus, it is possible to transfer personal data of EU citizens to Canada without additional protection measures being required, such as model clauses or restrictive corporate rules.
However, the adequacy decision was rendered pursuant to EU Data Protection Directive 95/46/EC, which has now been replaced by the GDPR, and there are significant differences between PIPEDA and the GDPR, particularly in respect of the following:
- Under the GDPR, consent is only one of several legal bases justifying the processing of personal data. The rules regarding consent are also more restrictive and require that it be explicit, whereas PIPEDA recognizes the concept of implied consent in certain circumstances.
- The GDPR gives data subjects more control over their personal data. Thus, EU citizens are entitled to “data portability” (i.e. the right to receive, in a structured, commonly used and machine-readable format, the personal data about themselves they have provided to a data controller). The GDPR also recognizes the “right to erasure”, also known as the “right to be forgotten” (i.e. an individual’s right to have their personal data erased as soon as possible in certain circumstances).
- The GDPR also incorporates the notion of “privacy by design”, which is not reflected in PIPEDA. According to this notion, producers of products, services and applications should take into account the right to data protection when developing and designing such products, services and applications.
- The GDPR gives enforcement powers to the supervisory authorities, particularly through the imposition of fines, which the Privacy Commissioner under PIPEDA does not have.
Given these significant differences between the two privacy protection regimes, Canadian organizations that are subject to the GDPR cannot assume they are in compliance with it simply because they abide by the principles embodied in PIPEDA. In addition, it should be noted that over the next four years, the adequacy decision Canada benefits from thanks to PIPEDA will be reviewed by the European Commission in light of the more restrictive rules under the GDPR. Unless the federal government makes certain amendments to PIPEDA, that adequacy decision may be called into question.
3. As long as no data breach occurs, a contravention of the GDPR is inconsequential
Fines can be imposed for any contravention of the GDPR, not just in the case of a data breach or compromised data confidentiality. Contraventions of the GDPR can result in very costly fines, depending on the seriousness of the infraction:
- The most serious infractions (such as a breach of the conditions applicable to consent, infringement of the rights of data subjects, or breaches involving the transfer of personal data to a non-EU state or to an international organization) are punishable by a fine of up to 20,000,000 euros (about CA$30 million) or, if higher, 4% of an enterprise’s worldwide turnover.
- More minor infractions (e.g. the breach of certain obligations of a data controller or processor, such as those involving privacy by design or the designation of a representative in the EU) are punishable by a fine of up to 10,000,000 euros, or 2% of an enterprise’s worldwide turnover, if higher.
4. All security incidents must be reported
Under the GDPR, it is not in fact necessary to report all security incidents. The applicable standard in this regard varies depending on whether one is reporting to a supervisory authority or the persons concerned:
- The relevant supervisory authority must be informed without undue delay, and if possible within 72 hours of when the data controller learns of a breach that is likely to result in a risk to the rights and freedoms of natural persons.
- The data subjects must be informed without undue delay where the breach is likely to result in a high risk to their rights and freedoms, unless appropriate measures have been implemented to ensure their protection.
5. The GDPR only applies to the processing of personal data in a B2C context
The GDPR makes no distinction between processing data in a B2C (business to consumer) or B2B context (business to business). All personal data processing is thus covered, including that which is done between two enterprises. It should be noted that in the case of a sole proprietorship (an unincorporated business with a single owner), the individual’s email address must be treated as personal data. In fact, any business email address that allows an individual to be identified (as opposed to a generic address such as “firstname.lastname@example.org”) constitutes personal data and must be treated accordingly.
The differences between the GDPR and the Canadian regime for the protection of personal information are considerable. Given that the consequences of non-compliance with the GDPR can be significant, and that compliance with the same will inevitably become a common contractual requirement for counterparties that are subject to it, Canadian enterprises and organizations must carefully review their policies and procedures in order to determine if they are subject to the GDPR, and if so, implement a compliance strategy appropriate to the degree of risk.
Consulting a legal advisor in connection with this process will allow you to fully appreciate the GDPR’s scope of application and the obligations it imposes on your organization, avoid potentially costly errors and respond to the expectations of your clients and business partners.